THE WORST HACKS OF 2018

WIRED - Lily Hay Newman

After years of targeted hacks, epic heists, and run of the mill data breaches you might think that institutions would be getting wise to the importance of strong cybersecurity. But it seems 2018 was not the year. Here’s WIRED’s look back at the biggest breaches, data exposures, ransomware attacks, state-sponsored campaigns, and general hacks of the year.

Stay safe in 2019.

At the end of November, the massive hotel chain Marriott announced that as many as 500 million travelers who made a reservation at a Starwood hotel since 2014 had their data compromised. The hack originated at Starwood’s reservation system; Marriott acquired that hotel group in September 2016, but the intrusion went undetected until September 8 of this year. Marriott says it blocked attacker access by September 10, but it took until November 19 for the company to fully understand the scale of the breach. Reports have increasingly indicated state-sponsored Chinese hackers were behind the attack, though this attribution has not been officially confirmed. The stolen data would be an espionage bonanza for government hackers, though. About 170 million impacted Marriott customers only had their names and basic information like address or email address stolen, but about 327 million people lost much more. Marriott says that this larger group had different combinations of name, address, phone number, email address, date of birth, gender, trip and reservation information, passport number, and Starwood Preferred Guest account information stolen. The Marriott incident is one of the largest data breaches in history.

At the end of September, Facebook disclosed a data breach in which attackers gained access to 30 million accounts by stealing “user authorization tokens,” essentially access badges that get generated after a user successfully logs in. Sites use authorization token schemes so users don’t need to sign in multiple times as they move around a platform. In Facebook’s case, the attackers coordinated exploitation of three different bugs in the social network’s “View As” feature to grab user tokens, gain access to Facebook accounts, and exfiltrate a significant and diverse trove of user data. The vulnerabilities existed in Facebook’s platform since July 2017, but the company only detected suspicious activity related to them on September 14 of this year. Eventually, Facebook discovered the flaws and the attack on September 25. Here’s how to check whether your Facebook account data was compromised in the breach. The company is investigating with the FBI, and hasn’t said who may have been behind the hack. The incident is Facebook’s first known data breach—impressive given that the platform has existed for well over a decade. But between the company’s increasingly dismal track record on third-party access limits and a recent incident in which a bug exposed 6.8 million users’ photos to third-party developers, it’s hard to feel like things are going as well as they could on the user privacy and data management front.

In March, a ransomware attack locked down the City of Atlanta’s digital systems, destabilizing municipal operations. The recovery took months, not to mention millions of dollars. The notorious SamSam criminal hacking group targeted the city and asked for about $50,000-worth of bitcoin. The ransomware attack affected five of Atlanta’s 13 government departments, and undermined services like the Atlanta Police Department’s records system, infrastructure maintenance requests, and court networks. Atlanta residents also couldn’t pay their water bills for days. At the end of November, the Department of Justice indicted two Iranian men for allegedly carrying out SamSam attacks.

In the lead up to the Pyeongchang Olympics, Russian hackers launched a number of related cyberattacks as retaliation for the country’s doping ban from the games. Then, before the opening ceremony of the Olympics in February, they orchestrated a hack that crippled the event’s IT infrastructure, knocking out Wi-Fi, the Olympics website, and network devices in the process. Hackers used a worm dubbed Olympic Destroyer to wreak havoc as event technicians raced to restore service. Then in June, the same hackers reemerged—this time in preliminary spear phishing attacks against labs that research biological and chemical threats in France, Germany, Switzerland, Russia, and Ukraine. Specifically, the targeted lab investigating the poisoning of former Russian double agent Sergei Skripal. Those attacks did not turn destructive—although no telling if they might have had security researchers not spotted them first.

At the beginning of December, immediately following news of the Marriott attack, Quora announced that its platform had also been breached. Attackers made off with information from 100 million accounts. Quora first discovered the issue on November 30, and its internal security team is working with an outside firm to contain and investigate the incident. Though Quora doesn’t store financial information, details like a user’s Social Security number, other data like names, email addresses, IP addresses, usernames, encrypted passwords, user account settings, a user’s Quora activity and content—including drafts—and data from potentially linked services like Google and Facebook may have been compromised. The incident was significant partly for how mundane it seemed, despite its scale, next to the Marriott breach. Corporate data compromises are so common now that 100 million accounts exposed doesn’t even feel like a lot anymore.

A Russian hacking campaign aimed at routers compromised 500,000 devices worldwide this spring, using a type of malware called VPNFilter. The virus can be used to coordinate infected devices and turn them into a collective botnet, and it can also be used to spy on victims’ web activity and even manipulate it. US officials publicly attributed VPNFilter to Russia in May, and analysts have linked it to the well-known GRU hacking group Fancy Bear. At the beginning of June, researchers from Cisco Talos published findings that the malware was even more flexible and pernicious than it initially seemed. VPNFilter can be used to steal data and run spam campaigns or launch targeted attacks against specific victims. The malware can infect mainstream routers from companies like Netgear, TP-Link, Linksys, ASUS, D-Link, and Huawei.

At the beginning of September, British Airways revealed a data breach that impacted information from 380,000 reservations made between August 21 and September 5 of this year. The company said that names, addresses, email addresses, and sensitive payment card details were all stolen in the breach. Hackers from the well-known criminal group Magecart pulled off the attack by specifically evaluating the airline’s digital systems and tailoring a plan for installing malicious skimming code in its payment data entry forms. That way, any time someone entered information to make a reservation, all the data would silently go to Magecart.

Cathay Pacific also announced an even larger data breach perpetrated in March that impacted 9.4 million travelers. The airline first disclosed the breach at the end of October. It then added in November that the intrusion had been even more intense than it originally said, and that it took three months to fend the hackers off. Cathay has been widely criticized for its delayed disclosure and lack of transparency about the incident. Data stolen in the breach included passenger names, dates of birth, addresses, telephone numbers, email addresses, nationalities, passport numbers, frequent flier membership numbers, and other ID numbers. Airlines can be a particularly valuable target for hackers, because they hold both personal and financial data, as well as travel data and passport numbers.

The sales intelligence firm Apollo disclosed a massive breach in October that included a diverse array of information on companies and their employees. The incident involved billions of records, because Apollo is a data aggregator as part of its business analytics service. A lot of the data was publicly available and scraped from the web, including from LinkedIn and Twitter. But this can still be dangerous for hackers to get their hands on all in one place, because it makes it easier for them to craft spam and phishing campaigns and other types of digital attacks. Additionally, some of the compromised Apollo data was internal business intelligence information. Apollo’s database was left exposed and was easily accessible to anyone, like the security researcher who found the problem and disclosed it to Apollo. But the data also seems to have been accessed at least one other time as well.

Google announced in October that it is going to shut down its beleaguered social network Google+. The company said that after an extensive audit it had concluded that, essentially, Google+ wasn’t worth the expense to support and secure. The company also said that it had discovered a bug in Google+ that had exposed 500,000 users’ data for about three years. There’s not a lot of love lost between users and Google+ anyway, but things actually got even more real after that. At the beginning of December, Google announced that an additional bug in a Google+ API had exposed user data from 52.5 million accounts. The bug rolled out in a November 7 software update and Google found and corrected it by November 13, so app developers only had the problematic data access for six days. In both cases, Google said it doesn’t have any evidence that the bugs were exploited, meaning that these were probably exposures, not breaches. Nonetheless, after the second incident, the company fast-tracked Google+’s end date to April.